I have registered for OSCP and have been enjoying the labs/modules for two weeks now. Recently, I have been stuck at exploiting a win 2008 server sp1 which is Master server in the lab domain. I have got shell on the Win 2003 Slave server and a few other XP flavors.

Just wondering whether anyone who is currently registered/finished OSCP can throw some light on ways to exploit the 2008 Master server? ASFAIK, there is no remote buffer overflow for the win 2008 server(atleast not reported to public).

impelse wrote:Come on guys, I've been studying this training for the last 2 /12 weeks and I am still beginning the smtp (My record show me 19 hours)

How fast do you move with the material? I am trying to assimilate all the info and do all the labs and extra miles but I am not sure if 90 days will be enough.

I don't think there's a good answer for that because it's totally going to depend on your background. I thought v2 was pretty serious when I got it a few years ago, but I went through the v3 material a couple months ago and was able to skim through most of it. The most difficult part for me is apparently to stop procrastinating and schedule the exam

impelse wrote:Come on guys, I've been studying this training for the last 2 /12 weeks and I am still beginning the smtp (My record show me 19 hours)

How fast do you move with the material? I am trying to assimilate all the info and do all the labs and extra miles but I am not sure if 90 days will be enough.

Here is something I will give a tip on concerning the OCSP and others like it: If you're machine is doing only one thing, and your focused on one thing... You're doing it wrong.

You're capable of opening up the amount of terminals allowed by the amount of memory on your machine to perform functions. If you're doing the exam or others like it using a Unix based system, I suggest creating desktops for specific tasks, e.g:

This is fine, but a waste of time. My goal is to find whether or not this host was running a webserver. Simply because I needed to enumerate it after the fact. Maybe with dirbuster or Nikto. I know that I need to do something AFTER the fact, and I don't want to sit around waiting for this to finish to get to the next stage.

I killed it as it was only an example. In exams like this where time is a factor, don't get bogged down with waiting on anything. There is nothing stopping you from automating a lot of tasks to narrow down the information you will need. This applies in the REAL world of penetration testing. Most times, I have automated scripts ready to roll the minute I pop a sessions. The reason for this is to allow me to get in and out and get as much data as quickly and silently as possible. When I say silent, if you've read any of my posts before, I use a LOT of decoys I also tend to use alternative means for extracting data. E.g., I will use DNS, ICMP UDP, SSL tunnels at a rate limited speed. I will throw data into comments on a webpage, then view the webpage and parse out the comments. Think outside the box. For some of these exams, its not always about an 0day either. There is escalation and so forth. Config files, sniffing the wire from one machine to another. I would add: "Try DIFFERENTLY" to their Try Harder motto

Sil I like your post, I was thinking something like that, how to speed it up the process, last night I was enumerating snmp and I was using two terminal with differents ip addresses trying to speed it up.

Also when in the extra mile they ask: create an script to do some scanning, after I make it work i try to modify like if other person will use it only typing the filename + ip-address.

Now to mix scripts with tools I like to speed it up the process.. Good.....

When I did my exam, I created literally a script to do the entire thing and at the last minute, many of my machines were firewalled, bastille linux'd, etc., so I have to modify it and parse out sections on the fly. I submitted the script to them as well and explained what it was I did and why. Unsure if that gave me brownie points heh....

So an approach would be something like:

if [ this scan shows http ]

then

run these http based tools against those

else

if [ this scan show snmp ]

then

run these snmp based tools

else

if [ this scan shows http login forms ]

then

run hydra using this wordlist and dictionary list

fififi

I would throw in wall's after each command so you'll know step X was finished

sil wrote:Most times, I have automated scripts ready to roll the minute I pop a sessions. The reason for this is to allow me to get in and out and get as much data as quickly and silently as possible. When I say silent, if you've read any of my posts before, I use a LOT of decoys

Do you ever find yourself testing on networks that have NAC? Most decoy / noise activities typically get you shut down quickly. Beyond low-and-slow, do you have alternate strategies for those situations?

ajohnson wrote:Do you ever find yourself testing on networks that have NAC? Most decoy / noise activities typically get you shut down quickly. Beyond low-and-slow, do you have alternate strategies for those situations?

Client sides. I am a stickler for spelling things out from the jump. When we meet with clients, I often take the time to explain to them the differences in attacks and attackers. I always explain to them the realities and costs associated with an attack because there is a cost for an attacker, and there are different types of attackers.

Once a client understands the differences (an INTENT attacker - someone who wants in no matter what the cost) they almost always allow me to try anything and everything. So most of the times I perform 4 types of tests. I've documented those different tests in the document I wrote for the RWSP (outside attacker, outside attacker w/creds, insider, insider w/creds). By insider, it does not solely mean: "Joe who works for the IT department" it extends to the social engineerer who'll find a way onto the environment and work blindly as well as that same social engineerer who managed to get credentials.

It all boils down to your SOW and your presentation way beforehand to get your client to agree to full blown testing

sil wrote:By insider, it does not solely mean: "Joe who works for the IT department" it extends to the social engineerer who'll find a way onto the environment and work blindly as well as that same social engineerer who managed to get credentials.

This can be a surprisingly difficult point to get across. People are still fixated on the idea of a firmly defined perimeter between "us" and "them," and that hasn't been the case for a decade+. Sorry, your users will click on links, documents, and executables and disclose information with reckless abandon.

sil wrote:It all boils down to your SOW and your presentation way beforehand to get your client to agree to full blown testing

Absolutely. I was specifically speaking from a technical perspective where they wanted to leave NAC in place during an engagement.

Last edited by dynamik on Thu Apr 05, 2012 9:58 am, edited 1 time in total.